What is the best way to reissue user certificates after configuration change in a template?
up vote
3
down vote
favorite
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
add a comment |
up vote
3
down vote
favorite
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
I have setup my MS-ADCS environment in my company and configured auto-enrollment. i have everything working great, but found out that I want my "Subject Name Format" to have a different value.
We are not using the certificates yet in any service, so there's no real problem removing them and reissue new ones.
My question is - what the the best way or the right way to remove all issued certificates (~200) with the wrong subject value and deploy the new certificates with the new (and right) subject value? All users are in AD and I can use scripts or group policy if needed.
Thanks.
EDIT: just to clarify my intent - I prefer to remove/delete the issued certificates with the wrong subject format and don't care at this point about revocation list (note - I am aware to the consequence).
certificates public-key-infrastructure
certificates public-key-infrastructure
edited 2 hours ago
asked 2 hours ago
DaveIce
364
364
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
up vote
2
down vote
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment
group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates
tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
add a comment |
up vote
1
down vote
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
add a comment |
up vote
0
down vote
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment
group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates
tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
add a comment |
up vote
2
down vote
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment
group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates
tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
add a comment |
up vote
2
down vote
up vote
2
down vote
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment
group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates
tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
ADCS has a feature for this.
Assuming you have the Certificate Services Client - Auto-Enrollment
group policy configured, simply create a new template in the MMC with the correct SAN configuration and add the original template name to the Superseded Templates
tab. Group policy will enroll for a new certificate with this template and delete the original for you.
There's no need to revoke anything as nothing's been compromised.
answered 58 mins ago
garethTheRed
462210
462210
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
add a comment |
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
Nice! That makes perfect sense... +1 for the answer, I'll update about the results.
– DaveIce
43 mins ago
add a comment |
up vote
1
down vote
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
add a comment |
up vote
1
down vote
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
add a comment |
up vote
1
down vote
up vote
1
down vote
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
If you don't use the certificates at any service and they don't have a real purpose atm, I guess it would be the best to revoke the issuing intermediate CA and create a new one issuing the right certificates.
This would be the most maintainable way to revoke all the certificates and your CRL would not get bloated before you even start using the certificates.
answered 2 hours ago
Lithilion
1,1072415
1,1072415
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
add a comment |
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
that is correct, but I prefer to remove the certificates with the wrong subject and have my users with the corrected certificate.
– DaveIce
2 hours ago
add a comment |
up vote
0
down vote
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
add a comment |
up vote
0
down vote
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
add a comment |
up vote
0
down vote
up vote
0
down vote
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
I think I've found the answer:
right clicking the template with the new change, there is an option to "Reenroll All Certificate Holders". Once choosing that, the template version increases, so the next time the client verifies the certificate version against the template version on the CA - the client will re-enrolls.
I tested it with a restart of one of the laptops and the result was only 1 user certificate with the right Subject format.
note: i think for this option to show up, Auto-enrollment must be configured for the template.
edited 21 mins ago
answered 27 mins ago
DaveIce
364
364
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199893%2fwhat-is-the-best-way-to-reissue-user-certificates-after-configuration-change-in%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown